SELinux policy configuration
Go to file
Zdenek Pytela 9a58e62d76 * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
- Allow ipsec_t read/write tpm devices
- Allow rhcd execute all executables
- Update rhcd policy for executing additional commands 2
- Update insights-client policy for additional commands execution 2
- Allow sysadm_t read raw memory devices
- Allow chronyd send and receive chronyd/ntp client packets
- Allow ssh client read kerberos homedir config files
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
- Update insights-client policy (auditctl, gpg, journal)
- Allow system_cronjob_t domtrans to rpm_script_t
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
- Update tor_bind_all_unreserved_ports interface
- Allow chronyd bind UDP sockets to ptp_event ports.
- Allow unconfined and sysadm users transition for /root/.gnupg
- Add gpg_filetrans_admin_home_content() interface
- Update rhcd policy for executing additional commands
- Update insights-client policy for additional commands execution
- Add userdom_view_all_users_keys() interface
- Allow gpg read and write generic pty type
- Allow chronyc read and write generic pty type
- Allow system_dbusd ioctl kernel with a unix stream sockets
- Allow samba-bgqd to read a printer list
- Allow stalld get and set scheduling policy of all domains.
- Allow unconfined_t transition to targetclid_home_t
2022-09-02 14:10:03 +02:00
tests test-reboot.yml: test.log is mandatory, improve results format 2020-08-27 07:49:02 +02:00
.gitignore Clean up .gitignore 2020-11-03 12:25:19 +01:00
booleans-minimum.conf Remove ftp_home_dir boolean from distgit 2016-04-26 14:04:52 +02:00
booleans-mls.conf Make rawhide == f18 2012-12-17 17:21:00 +01:00
booleans-targeted.conf Change default value of use_virtualbox boolean 2019-09-16 16:08:14 +02:00
booleans.subs_dist subs virt_sandbox_use_nfs by virt_use_nfs 2016-07-16 17:52:41 +02:00
COPYING remove extra level of directory 2006-07-12 20:32:27 +00:00
customizable_types * Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221 2016-10-17 20:52:01 +02:00
file_contexts.subs_dist Add /var/mnt equivalency to /mnt 2021-01-22 10:32:59 +01:00
ifndefy.py Add a script for enclosing interfaces in ifndef statements 2022-06-29 18:34:21 +00:00
make-rhat-patches.sh Use the rawhide branch instead of master 2021-02-04 17:12:07 +01:00
Makefile.devel Hard code to MLSENABLED 2011-08-22 16:30:20 -04:00
modules-minimum.conf - More access needed for devicekit 2010-08-30 11:58:36 -04:00
modules-mls-base.conf Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. 2015-07-16 09:10:21 +02:00
modules-mls-contrib.conf Make active lsm module in MLS policy 2019-04-05 11:03:51 +02:00
modules-targeted-base.conf * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 2020-08-03 13:25:54 +02:00
modules-targeted-contrib.conf Add stalld module to modules-targeted-contrib.conf 2022-04-21 09:10:30 +02:00
modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3 2021-08-27 11:50:45 +02:00
permissivedomains.cil Remove all domains from permissive domains, it looks these policies are tested already 2019-01-13 19:28:55 +01:00
README.md Fix typos and grammar in README 2020-12-02 09:41:43 +01:00
rpm.macros Update rpm.macros file fomr the upstream repo 2019-11-05 17:50:20 +01:00
securetty_types-minimum - Update to upstream 2010-03-18 15:47:35 +00:00
securetty_types-mls - Update to upstream 2010-03-18 15:47:35 +00:00
securetty_types-targeted - Update to upstream 2010-03-18 15:47:35 +00:00
selinux-check-proper-disable.service Add a systemd service to check that SELinux is disabled properly 2021-06-22 09:38:56 +00:00
selinux-policy.conf We need to setcheckreqprot to 0 for security purposes 2015-04-16 14:00:38 -04:00
selinux-policy.spec * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1 2022-09-02 14:10:03 +02:00
setrans-minimum.conf - Update to Latest upstream 2009-03-03 20:10:30 +00:00
setrans-mls.conf - Multiple policy fixes 2006-09-19 14:59:46 +00:00
setrans-targeted.conf - Update to Latest upstream 2009-03-03 20:10:30 +00:00
sources * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1 2022-09-02 14:10:03 +02:00
users-minimum Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00
users-mls Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00
users-targeted Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00

Purpose

SELinux Fedora Policy is a fork of the SELinux reference policy. The fedora-selinux/selinux-policy repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.

Structure

GitHub

On GitHub, we have one repository containing the policy sources.

$ cd selinux-policy
$ git remote -v
origin	git@github.com:fedora-selinux/selinux-policy.git (fetch)

$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide

Note: As opposed to dist-git, the Rawhide content resides in the rawhide branch rather than master.

dist-git

Package sources in dist-git are composed from the selinux-policy repository snapshot tarball, container-selinux policy files snapshot, the macro-expander script snapshot, and from other config files.

Build process

  1. Clone the fedora-selinux/selinux-policy repository.

     $ cd ~/devel/github
     $ git clone git@github.com:fedora-selinux/selinux-policy.git
     $ cd selinux-policy
    
  2. Create, backport, or cherry-pick needed changes to a particular branch and push them.

  3. Clone the selinux-policy dist-git repository.

     $ cd ~/devel/dist-git
     $ fedpkg clone selinux-policy
     $ cd selinux-policy
    
  4. Download the latest snapshot from the selinux-policy GitHub repository.

     $ ./make-rhat-patches.sh
    
  5. Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.

  6. Build the package.

     $ fedpkg build